r-saml 1.0.1

data/test/slo_logoutresponse_test.rb

@@ -0,0 +1,185 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+require 'onelogin/ruby-saml/slo_logoutresponse'
+
+class SloLogoutresponseTest < Minitest::Test
+
+  describe "SloLogoutresponse" do
+    let(:settings) { OneLogin::RubySaml::Settings.new }
+    let(:logout_request) { OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document) }
+
+    before do
+      settings.idp_entity_id = 'https://app.onelogin.com/saml/metadata/SOMEACCOUNT'
+      settings.idp_slo_target_url = "http://unauth.com/logout"
+      settings.name_identifier_value = "f00f00"
+      settings.compress_request = true
+      settings.certificate = ruby_saml_cert_text
+      settings.private_key = ruby_saml_key_text
+      logout_request.settings = settings
+    end
+
+    it "create the deflated SAMLResponse URL parameter" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id)
+      assert_match /^http:\/\/unauth\.com\/logout\?SAMLResponse=/, unauth_url
+
+      inflated = decode_saml_response_payload(unauth_url)
+      assert_match /^<samlp:LogoutResponse/, inflated
+    end
+
+    it "support additional params" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, { :hello => nil })
+      assert_match /&hello=$/, unauth_url
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, { :foo => "bar" })
+      assert_match /&foo=bar$/, unauth_url
+
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, { :RelayState => "http://idp.example.com" })
+      assert_match /&RelayState=http%3A%2F%2Fidp.example.com$/, unauth_url
+    end
+
+    it "set InResponseTo to the ID from the logout request" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id)
+
+      inflated = decode_saml_response_payload(unauth_url)
+      assert_match /InResponseTo='_c0348950-935b-0131-1060-782bcb56fcaa'/, inflated
+    end
+
+    it "set a custom successful logout message on the response" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, "Custom Logout Message")
+
+      inflated = decode_saml_response_payload(unauth_url)
+      assert_match /<samlp:StatusMessage>Custom Logout Message<\/samlp:StatusMessage>/, inflated
+    end
+
+    describe "when the settings indicate to sign (embedded) logout response" do
+
+      before do
+        settings.compress_response = false
+        settings.security[:logout_responses_signed] = true
+        settings.security[:embed_sign] = true
+      end
+
+      it "create a signed logout response" do
+        logout_request.settings = settings
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
+
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1'\/>/, response_xml
+      end
+
+      it "create a signed logout response with 256 digest and signature methods" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA256
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
+
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#sha256'\/>/, response_xml
+      end
+
+      it "create a signed logout response with 512 digest and signature method RSA_SHA384" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        logout_request.settings = settings
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
+
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha384'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#sha512'\/>/, response_xml
+      end
+    end
+
+    describe "#create_params when the settings indicate to sign the logout response" do
+
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+      before do
+        settings.compress_response = false
+        settings.security[:logout_responses_signed] = true
+        settings.security[:embed_sign] = false
+      end
+
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA256 /SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,257 @@
+require 'simplecov'
+
+SimpleCov.start do
+  add_filter "test/"
+  add_filter "lib/onelogin/ruby-saml/logging.rb"
+end
+
+require 'stringio'
+require 'rubygems'
+require 'bundler'
+require 'minitest/autorun'
+require 'mocha/setup'
+require 'timecop'
+
+Bundler.require :default, :test
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+require 'onelogin/ruby-saml/logging'
+
+TEST_LOGGER = Logger.new(StringIO.new)
+OneLogin::RubySaml::Logging.logger = TEST_LOGGER
+
+class Minitest::Test
+  def fixture(document, base64 = true)
+    response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
+    if base64 && response =~ /\.xml$/
+      Base64.encode64(File.read(response))
+    else
+      File.read(response)
+    end
+  end
+
+  def read_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", response))
+  end
+
+  def read_invalid_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", "invalids", response))
+  end
+
+  def read_logout_request(request)
+    File.read(File.join(File.dirname(__FILE__), "logout_requests", request))
+  end
+
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
+  end
+
+  def response_document_valid_signed
+    @response_document_valid_signed ||= read_response("valid_response.xml.base64")
+  end
+
+  def response_document_without_recipient
+    @response_document_without_recipient ||= read_response("response_with_undefined_recipient.xml.base64")
+  end
+
+  def response_document_without_recipient_with_time_updated
+    doc = Base64.decode64(response_document_without_recipient)
+    doc.gsub!(/NotBefore=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotBefore=\"#{(Time.now-300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    doc.gsub!(/NotOnOrAfter=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotOnOrAfter=\"#{(Time.now+300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    Base64.encode64(doc)
+  end
+
+  def response_document_without_attributes
+    @response_document_without_attributes ||= read_response("response_without_attributes.xml.base64")
+  end
+
+  def response_document_without_reference_uri
+    @response_document_without_reference_uri ||= read_response("response_without_reference_uri.xml.base64")
+  end
+
+  def response_document_with_signed_assertion
+    @response_document_with_signed_assertion ||= read_response("response_with_signed_assertion.xml.base64")
+  end
+
+  def response_document_with_signed_assertion_2
+    @response_document_with_signed_assertion_2 ||= read_response("response_with_signed_assertion_2.xml.base64")
+  end
+
+  def response_document_unsigned
+    @response_document_unsigned ||= read_response("response_unsigned_xml_base64")
+  end
+
+  def response_document_with_saml2_namespace
+    @response_document_with_saml2_namespace ||= read_response("response_with_saml2_namespace.xml.base64")
+  end
+
+  def ampersands_document
+    @ampersands_response ||= read_response("response_with_ampersands.xml.base64")
+  end
+
+  def response_document_no_cert_and_encrypted_attrs
+    @response_document_no_cert_and_encrypted_attrs ||= Base64.encode64(read_response("response_no_cert_and_encrypted_attrs.xml"))
+  end
+
+  def response_document_wrapped
+    @response_document_wrapped ||= read_response("response_wrapped.xml.base64")
+  end
+
+  def response_document_assertion_wrapped
+    @response_document_assertion_wrapped ||= read_response("response_assertion_wrapped.xml.base64")
+  end
+
+  def response_document_encrypted_nameid
+    @response_document_encrypted_nameid ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_encrypted_nameid.xml.base64'))
+  end
+
+  def signed_message_encrypted_unsigned_assertion
+    @signed_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'signed_message_encrypted_unsigned_assertion.xml.base64'))    
+  end
+
+  def signed_message_encrypted_signed_assertion
+    @signed_message_encrypted_signed_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'signed_message_encrypted_signed_assertion.xml.base64'))    
+  end
+
+  def unsigned_message_encrypted_signed_assertion
+    @unsigned_message_encrypted_signed_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_signed_assertion.xml.base64'))    
+  end
+
+  def unsigned_message_encrypted_unsigned_assertion
+    @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))    
+  end
+
+  def signature_fingerprint_1
+    @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
+  end
+
+  # certificate used on response_with_undefined_recipient
+  def signature_1  
+    @signature1 ||= read_certificate("certificate1")
+  end
+
+  # certificate used on response_document_with_signed_assertion_2
+  def certificate_without_head_foot
+    @certificate_without_head_foot ||= read_certificate("certificate_without_head_foot")
+  end
+
+  def idp_metadata
+    @idp_metadata ||= read_response("idp_descriptor.xml")
+  end
+
+  def logout_request_document
+    unless @logout_request_document
+      xml = read_logout_request("slo_request.xml")
+      deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
+      @logout_request_document = Base64.encode64(deflated)
+    end
+    @logout_request_document
+  end
+
+  def logout_request_xml_with_session_index
+    @logout_request_xml_with_session_index ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_with_session_index.xml'))
+  end
+
+  def invalid_logout_request_document
+    unless @invalid_logout_request_document
+      xml = File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'invalid_slo_request.xml'))
+      deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
+      @invalid_logout_request_document = Base64.encode64(deflated)
+    end
+    @invalid_logout_request_document
+  end
+
+  def logout_request_base64
+    @logout_request_base64 ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request.xml.base64'))
+  end
+
+  def logout_request_deflated_base64
+    @logout_request_deflated_base64 ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_deflated.xml.base64'))
+  end
+
+  def ruby_saml_cert
+    @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+  end
+
+  def ruby_saml_cert_fingerprint
+    @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
+  end
+
+  def ruby_saml_cert_text
+    read_certificate("ruby-saml.crt")
+  end
+
+  def ruby_saml_key
+    @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
+  end
+
+  def ruby_saml_key_text
+    read_certificate("ruby-saml.key")
+  end
+
+  #
+  # logoutresponse fixtures
+  #
+  def random_id
+    "_#{UUID.new.generate}"
+  end
+
+  #
+  # decodes a base64 encoded SAML response for use in SloLogoutresponse tests
+  #
+  def decode_saml_response_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
+    decoded = Base64.decode64(payload)
+
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+
+  #
+  # decodes a base64 encoded SAML request for use in Logoutrequest tests
+  #
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
+
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+
+  SCHEMA_DIR = File.expand_path(File.join(__FILE__, '../../lib/schemas'))
+
+  #
+  # validate an xml document against the given schema
+  #
+  def validate_xml!(document, schema)
+    Dir.chdir(SCHEMA_DIR) do
+      xsd = if schema.is_a? Nokogiri::XML::Schema
+              schema
+            else
+              Nokogiri::XML::Schema(File.read(schema))
+            end
+
+      xml = if document.is_a? Nokogiri::XML::Document
+              document
+            else
+              Nokogiri::XML(document) { |c| c.strict }
+            end
+
+      result = xsd.validate(xml)
+
+      if result.length != 0
+        raise "Schema validation failed! XSD validation errors: #{result.join(", ")}"
+      else
+        true
+      end
+    end
+  end
+end

data/test/utils_test.rb

@@ -0,0 +1,145 @@
+require "test_helper"
+
+class UtilsTest < Minitest::Test
+  describe ".format_cert" do
+    let(:formatted_certificate) do
+      read_certificate("formatted_certificate")
+    end
+
+    it "returns empty string when the cert is an empty string" do
+      cert = ""
+      assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
+    end
+
+    it "returns nil when the cert is nil" do
+      cert = nil
+      assert_equal nil, OneLogin::RubySaml::Utils.format_cert(cert)
+    end
+
+    it "returns the certificate when it is valid" do
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
+    end
+
+    it "reformats the certificate when there are spaces and no line breaks" do
+      invalid_certificate1 = read_certificate("invalid_certificate1")
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
+    end
+
+    it "reformats the certificate when there are spaces and no headers" do
+      invalid_certificate2 = read_certificate("invalid_certificate2")
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
+    end
+
+    it "reformats the certificate when there line breaks and no headers" do
+      invalid_certificate3 = read_certificate("invalid_certificate3")
+      assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
+    end
+  end
+
+  describe ".format_private_key" do
+    let(:formatted_private_key) do
+      read_certificate("formatted_private_key")
+    end
+
+    it "returns empty string when the private key is an empty string" do
+      private_key = ""
+      assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
+    end
+
+    it "returns nil when the private key is nil" do
+      private_key = nil
+      assert_equal nil, OneLogin::RubySaml::Utils.format_private_key(private_key)
+    end
+
+    it "returns the private key when it is valid" do
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
+    end
+
+    it "reformats the private key when there are spaces and no line breaks" do
+      invalid_private_key1 = read_certificate("invalid_private_key1")
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
+    end
+
+    it "reformats the private key when there are spaces and no headers" do
+      invalid_private_key2 = read_certificate("invalid_private_key2")
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
+    end
+
+    it "reformats the private key when there line breaks and no headers" do
+      invalid_private_key3 = read_certificate("invalid_private_key3")
+      assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
+    end
+
+    describe "an RSA public key" do
+      let(:formatted_rsa_private_key) do
+        read_certificate("formatted_rsa_private_key")
+      end
+
+      it "returns the private key when it is valid" do
+        assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
+      end
+
+      it "reformats the private key when there are spaces and no line breaks" do
+        invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
+        assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
+      end
+
+      it "reformats the private key when there are spaces and no headers" do
+        invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
+      end
+
+      it "reformats the private key when there line breaks and no headers" do
+        invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
+        assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
+      end
+    end
+  end
+
+  describe "build_query" do
+    it "returns the query string" do
+      params = {}
+      params[:type] = "SAMLRequest"
+      params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
+      params[:relay_state] = "http://example.com"
+      params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      query_string = OneLogin::RubySaml::Utils.build_query(params)
+      assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
+    end
+  end
+
+  describe "#verify_signature" do
+    before do
+      @params = {}
+      @params[:cert] = ruby_saml_cert
+      @params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      @params[:query_string] = "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"
+    end
+
+    it "returns true when the signature is valid" do
+      @params[:signature] = "uWJm/T4gKLYEsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
+      assert OneLogin::RubySaml::Utils.verify_signature(@params)
+    end
+
+    it "returns false when the signature is invalid" do
+      @params[:signature] = "uWJm/InVaLiDsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
+      assert !OneLogin::RubySaml::Utils.verify_signature(@params)
+    end
+  end
+
+  describe "#status_error_msg" do
+    it "returns a error msg with a status message" do
+      error_msg = "The status code of the Logout Response was not Success"
+      status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+      status_message = "The request could not be performed due to an error on the part of the requester."
+      status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+      assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
+
+      status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
+      assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
+
+      status_error_msg3 =  OneLogin::RubySaml::Utils.status_error_msg(error_msg)
+      assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
+    end
+  end
+end